Malicious PDF — malware analysis report

Static analysis result for SHA-256 1675beb019339af4…

MALICIOUS

PDF

57.1 KB Authoring application: Soda PDF
MD5: d68a59fca43dc44a393579f79a6c1923 SHA-1: 7c01b962040ae98f83727784a4fd3df5f3f0fb06 SHA-256: 1675beb019339af4b4dc1b90f15e3d4a5ff7ad5d638e3511bde2e02f661086c9
152 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains a large number of embedded external links, identified by the PDF_SEO_LINK_FARM heuristic. The ML classifier and ClamAV detection strongly indicate maliciousness, with ClamAV identifying it as Pdf.Phishing.TtraffRobotInstall. The document body, though partially obfuscated, also contains many of these URLs, suggesting a phishing or SEO spam campaign. The primary attack pattern involves directing users to a network of external PDF files.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9999

Heuristics 3

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.TtraffRobotInstall-7605656-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.TtraffRobotInstall-7605656-0
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://ozhiking.com/uploads/1/3/0/5/130550968/1118557.pdf
    • http://inscienceitrust.net/uploads/1/3/0/6/130622084/zobasivab.pdf
    • http://arielledollinger.com/uploads/1/3/0/3/130323603/9c56938347.pdf
    • http://metropolismexican-grill.com/uploads/1/3/0/3/130379841/sezajumolodew-sasiwupeki-dodiv.pdf
    • http://twinflameoracleshamanhealing.com/uploads/1/3/0/5/130552043/tijubiti_vogev.pdf
    • http://smithsolarlab.com/uploads/1/3/0/7/130775034/f6db02f1b4993.pdf
    • http://morph-bcs.com/uploads/1/3/0/3/130313107/pusotelure.pdf
    • http://thetri-fectagroup.com/uploads/1/3/0/5/130588157/ribokutol-xerubotavafeva-mefuropulewi.pdf
    • http://alaskacharr.org/uploads/1/3/0/5/130550752/f9f05b4bf025.pdf
    • http://rarebreedmuzak.com/uploads/1/3/0/2/130289173/mifetape.pdf
    • http://medcem.org/uploads/1/3/0/5/130551129/wozekotimo-xuwonefokepilad.pdf
    • http://cyclebavaria.com/uploads/1/3/0/2/130273610/130273610.html#ielts+writing+task+1+band+9+general
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://fedoraproject.org/wiki/Licensing/LiberationFontLicense
    • http://dejavu.sourceforge.net
    • http://dejavu.sourceforge.net/wiki/index.php/License

Extracted artifacts 3

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000133d.bin
7905ba7b4ff54d7dfd50749ab096cbfd82effca4394703009bd0cb1172cf5533		 pdf-font-stream PDF embedded font (sfnt) at offset 0x133D 8428 bytes
font_01_sfnt_off0000906b.bin
63f5e27ee3d24cc00d413e59c301cc73ab377383609796993547673f2bea898c		 pdf-font-stream PDF embedded font (sfnt) at offset 0x906B 2600 bytes
font_02_sfnt_off000098fe.bin
298f87a37b282755b17879ef28bd8008b5d5927fa8ce0db4577aba4a05cf2386		 pdf-font-stream PDF embedded font (sfnt) at offset 0x98FE 16152 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.